0

I have upgraded PHP from 5.4 to 5.5, and there was a WARNING of mysql functions being deprecated. I have upgraded by using

 $conn = mysqli_connect(DB_SERVER, DB_USER, DB_PASSWORD, DB_DATABASE);

and using mysqli_query and similar functions, where the syntaxis is almost identical. I am using the procedural method, so I only change mysql_query (its counterpart function receives one more parameters, namely the database object) and because it is abstracted in a function, I only need to have a global $conn in one or two functions, and the rest of the code is almost identical, changing mysql_fetch_object by mysqli_fetch_object, etc., so the impact in code rewriting is minimal.

Is there some better form of upgrading to improve my queries, I find this modification somehow strange and that could not take the best benefits from the upgrade.

Cesar
  • 514
  • 1
  • 5
  • 16
  • Are you manually escaping user provided values before inserting them in your queries? This might be the perfect time to change those to prepared statements as well – Hanky Panky Mar 04 '16 at 10:35
  • I am using my custom function, which right now it only does this: function sanistring($string){ global $conn; return mysqli_real_escape_string($conn, $string); } // function . I do not know about prepared statements, could you please enlight me? – Cesar Mar 04 '16 at 10:36
  • If you continue to use that you don't really benefit a lot from the upgrade since its a job half done. If you port over your queries to become prepared statements that gives you some extra protection also and that's how you get the real benefit of making this move – Hanky Panky Mar 04 '16 at 10:37
  • I am reading about it and seems similar to Drupal `db_query` syntax. They use `db_query("SELECT * FROM node WHERE nid = :nid", array(":nid" => $nid)` so they presumably make checkings on ":nid" as being appropriate and filter SQL injections before commiting to the database. – Cesar Mar 04 '16 at 10:40
  • Absolutely. Go through this post to see how easy is it and if provides you any benefit or not http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Hanky Panky Mar 04 '16 at 10:41
  • That is very interesting, thanks. As for SQL injection, I make my own checks of data integrity (data type, type cast, checking if the value is in an expected range, etc.), sometimes to a high level of paranoid, but I find that I could benefit from prepared statements to further improve security. Thank you very much! – Cesar Mar 04 '16 at 10:50
  • use IDE and replace all mysql to mysqli in whole project, or in whole project term change its bettter to use IDE like sublimetext3 and short cut for replace is ctrl+shift+F – ANSHUL GERA Mar 05 '16 at 05:15
  • Possible duplicate of [How to change mysql to mysqli?](https://stackoverflow.com/questions/1390607/how-to-change-mysql-to-mysqli) – Dharman Aug 06 '19 at 22:46

0 Answers0